Data Breaches: The Insanity Continues

The Identity Theft Resource Center Breach Report also monitors how breaches occur. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009. This was a change from all previous years, where human error was higher than malicious attacks. One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information. For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Insanity might well be defined as repeating the same action again and again, and expecting a different outcome. With that in mind:

Insanity 1 – Electronic breaches: After all the articles about hacking, and the ever growing cost of a breach, why isn’t encryption being used to protect personal identifying information? Proprietary information almost always seems to be well protected. Why not our customer/consumer personal identifying information (PII)?

Insanity 2 – Paper breaches: Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII? Do we dare ask that those laws be actually enforceable? Perhaps we are waiting for paper breaches to reach 35% of the total.

Insanity 3 – Breaches happen: Deal with it! You will get notification letters. Breach notification does not equal identity theft. Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website. This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.

Insanity 4 – A Breach is a Breach: Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.” If it is your #[email protected]%2 SSN that is out on the Internet, do YOU think there is “risk of harm?” Some companies might say “no.”

Insanity 5 – Data on the Move: You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years. But, really! This is 100% avoidable, either through use of encryption, or other safety measures. Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.” With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.”